ONC, FDA aligning app guidance with broader health IT policy

The Office of the National Coordinator for Health IT has taken a leadership position in promoting the implementation of health IT across the country. ONC is actively supporting the adoption of health IT and the promotion of nationwide health information exchange to improve America's healthcare system. FierceMobileHealthcare had the opportunity to speak with Jodi Daniel, Director of ONC's Office of Policy and Planning. 

In that capacity, Daniel, who is a lawyer by training, is responsible for thought leadership, policy development, and identifying "policy levers" for health IT activities, including establishing new policies and working with other federal agencies and private organizations to coordinate efforts regarding adoption and health information exchange. 

In addition, FierceMobileHealthcare was able to talk with Kathryn Marchesini, a senior analyst and advisor to ONC's chief privacy officer on issues of privacy and security related to mHealth. Marchesini, who is also an attorney, helped to address some of the challenges in securing mobile devices and highlighted the office's activities in this area.

FMH: ONC is supporting the adoption of health IT and the promotion of nationwide health information exchange to improve healthcare. But, what about mHealth?

Daniel (right): You're right, we support health IT adoption. mHealth is a type of technology that is a part of health information technology, as I see it. It's a type of technology that can support health and wellness, which is our goal, as well as to improve health and healthcare. As more folks are using mobile technology and devices, mHealth can be an effective way of using technology to support these goals. So, we see it as a subset of the activities that we are focused on.

Mobile is obviously where computing is going. It's powerful. It's a way of reaching a large number of people in their daily lives. And, it supports the scalability of health information, which is something that we are trying to promote to make sure that it is available where and when it is needed. Within the scope of our mission, it's something that we're both paying attention to, making sure our policies are supportive of, and thinking about how we might be able to leverage that shift in our work, our policies, and our guidance. I don't see it as a separate and distinct thing. I see it as part of the broader scope that we have. 

FMH: Do you see a role for mHealth in electronic health records, perhaps in Meaningful Use Stage 3? For instance, will Stage 3 encourage medical practices and hospitals to enlist their patients to use health devices and apps, and to accept patient-generated data into EHRs?

Daniel: When we establish the criteria and standards for certifying EHR technology, we don't specify what kind of tools can be used to represent those functionalities. We know that some EHRs are providing mobile platforms for providers. So, our role doesn't necessarily call out mobile health but I don't think that it precludes the use of mobile health either. Folks can figure out the best ways of developing, certifying and implementing EHR technology and making tools available to providers that help support them in Meaningful Use of the technology.

The one thing I will say is for Stage 3 there have been conversations among our Health IT Policy Committee, our advisory committee which makes recommendations to ONC, about patient-generated health data and how information that individuals collect may be made available to clinicians through certified EHR technology. That's something that we're awaiting input and recommendations on from them as to whether that is something that we could or should include in Stage 3. Patient-generated data is something that we are paying close attention to and understanding whether there are some areas where we may want to encourage providers to accept information directly from patients, captured from mobile technology or some other means.

FMH: Talk about how ONC is working with the FDA and FCC in the area of mHealth.

Daniel: We have been working hand-in-hand with the FDA on the development of their mobile medical apps guidance, which they put out in draft form [in 2011] and which they have committed to finalizing this fiscal year. We are working with the FDA as they are developing that guidance to make sure that it aligns with health IT policy more broadly. It's been a great collaborative effort with FDA.

We've also been working collaboratively with them on the Food and Drug Administration Safety and Innovation Act (FDASIA), which requires FDA to work with ONC and FCC to develop draft recommendations on a risk-based regulatory framework for health IT which includes mobile health. ONC established a FDASIA work group of our Health IT Policy Committee in order to get recommendations and input from a variety of stakeholders. Congress said that we could do that and we decided to use our Policy Committee as a vehicle for getting that public input.

So, we do have a work group and we're working hand-in-hand with the FDA and FCC, with representatives from all three agencies. It will be a joint effort to draft a framework based on the recommendations we get. And, we do intend to put that draft framework out for public comment. The goal is to both support safety and innovation of health IT, while reducing regulatory duplication. So, it's a lofty challenge for us. And, what we wanted to do was get as much public input as possible.    

FMH: How do you see the challenges of security as they relate to mHealth? I saw stats from ONC that more than 80 percent of physicians use smartphones or tablets, but very few actually take basic security precautions, such as using encryption to protect their data from unauthorized users. Do these numbers still hold true?

Marchesini (left): According to a recent health industry medical technology survey, a number that has changed is that healthcare providers are taking steps in a variety of methods to secure health information. For example, nearly 90 percent of respondents reported using data encryption measures while nearly three-quarters are using remote wipe capabilities. Another example is that two-thirds of the survey respondents reported that their organizations had a mobile technology plan in place, which was up from 38 percent of respondents that reported this in 2011.    

FMH: When it comes to commercially available devices, studies of out-of-the-box security configurations conducted by ONC have found that most mobile phones do not meet more than 40 percent of security requirements, such as the ability to encrypt information. Is this still the case?

Marchesini: We hope to actually make those materials from the study public. We're working currently to get all of that information up on HealthIT.gov website in the coming months.

FMH: I've heard that after manual configuration, ONC test results for these devices improved significantly, especially for iPhone and Blackberry models, which met 60 percent of the security requirements. However, other phones did not fare as well after manual configuration. How big a problem is this?

Marchesini: In general, healthcare organizations and providers need to protect the privacy and security of information, no matter what technology they are using. Although some devices might not have built-in technical controls that can be manually configured on the actual device, there potentially are additional tools available that expand the protection capabilities of the devices.  

Editor's note: This interview has been edited for length and clarity.